How early should I get alerted before a certificate expires?

A common, safe schedule is alerts at 30, 15, and 7 days before the not-after date. The 30-day notice gives time to diagnose a failed auto-renewal, while the 7-day notice forces a manual fix before the certificate becomes invalid. With lifetimes dropping toward 47 days by 2029, an even tighter window for renewal checks is advisable.

What happens when an SSL certificate expires?

Browsers stop trusting the connection and show a full-page warning, such as NET::ERR_CERT_DATE_INVALID in Chrome, that most visitors will not bypass. Because the failure is hard and immediate, legitimate traffic and conversions can fall to near zero within minutes. There is no gradual degradation, so the outage is total until the certificate is renewed.

Is SSL certificate monitoring different from uptime monitoring?

Yes. Uptime monitoring confirms the server responds, while certificate monitoring inspects the TLS layer: expiry date, chain validity, hostname or SAN match, and revocation. A site can return HTTP 200 with an expired or misissued certificate, so an uptime check alone can pass while every real browser refuses to load the page.

What is the maximum lifetime of a public TLS certificate today?

Public-trust TLS certificates have been capped at 398 days since September 1, 2020. Under CA/Browser Forum Ballot SC-081v3, that maximum drops to 200 days on March 15, 2026, to 100 days on March 15, 2027, and to 47 days on March 15, 2029. Shorter validity means more frequent renewals and a stronger case for automated monitoring.

What Is SSL Certificate Monitoring?

Reviewed by Ionut Caval · Updated June 2026

SSL certificate monitoring is the automated, continuous checking that a site's TLS certificate is valid, trusted, hostname-matched, and not close to expiry, with alerts sent days before an expired certificate can trigger downtime.

Expiry is silent until the moment it bites. A certificate stays fully functional one second and hard-fails the next: browsers block an expired certificate with NET::ERR_CERT_DATE_INVALID, an interstitial most visitors will not click through, so real traffic drops to near zero instantly. Renewals are also easy to forget after a staff change, when the engineer who set a calendar reminder has left and the reminder left with them.

The compressing certificate lifetime makes this harder to track by hand. Public-trust TLS certificates have been capped at 398 days since September 1, 2020. In April 2025 the CA/Browser Forum passed Ballot SC-081v3 (29 in favor, none opposed) to cut the maximum in stages: 200 days from March 15, 2026, 100 days from March 15, 2027, and 47 days from March 15, 2029. Shorter windows mean more renewals per year and more chances to miss one.

What an SSL certificate monitor checks

Expiry date: how many days remain before the not-after timestamp, the most common cause of an SSL outage.
Certificate-chain validity: that every intermediate is present and chains to a trusted root, so clients do not throw an untrusted-issuer error.
Hostname and SAN match: that the requested host appears in the Subject Alternative Name list, not just the legacy Common Name.
Revocation: OCSP or CRL status, catching a certificate pulled before its scheduled expiry.
Weak protocol or cipher: flags for deprecated TLS 1.0/1.1 or a too-small key, distinct from a plain health check on the endpoint itself.

When to alert before expiry

A single warning at the deadline is too late if automation has already failed. A standard schedule is to alert at 30, 15, and 7 days before expiry. The 30-day notice gives time to investigate why an ACME auto-renewal did not fire; the 7-day notice forces a manual renewal before the certificate goes invalid. Pulsetic's SSL monitoring runs these checks continuously and notifies you across your chosen channels.

Certificate expiry is not the same as domain expiry. A current TLS certificate on a domain whose registration has lapsed still leaves the site unreachable once the name stops resolving, so pair this with domain expiration monitoring to cover both failure modes.

Frequently asked questions

How early should I get alerted before a certificate expires?

A common, safe schedule is alerts at 30, 15, and 7 days before the not-after date. The 30-day notice gives time to diagnose a failed auto-renewal, while the 7-day notice forces a manual fix before the certificate becomes invalid. With lifetimes dropping toward 47 days by 2029, an even tighter window for renewal checks is advisable.
What happens when an SSL certificate expires?

Browsers stop trusting the connection and show a full-page warning, such as NET::ERR_CERT_DATE_INVALID in Chrome, that most visitors will not bypass. Because the failure is hard and immediate, legitimate traffic and conversions can fall to near zero within minutes. There is no gradual degradation, so the outage is total until the certificate is renewed.
Is SSL certificate monitoring different from uptime monitoring?

Yes. Uptime monitoring confirms the server responds, while certificate monitoring inspects the TLS layer: expiry date, chain validity, hostname or SAN match, and revocation. A site can return HTTP 200 with an expired or misissued certificate, so an uptime check alone can pass while every real browser refuses to load the page.
What is the maximum lifetime of a public TLS certificate today?

Public-trust TLS certificates have been capped at 398 days since September 1, 2020. Under CA/Browser Forum Ballot SC-081v3, that maximum drops to 200 days on March 15, 2026, to 100 days on March 15, 2027, and to 47 days on March 15, 2029. Shorter validity means more frequent renewals and a stronger case for automated monitoring.

Put these metrics to work. Monitor your site free.

2-minute setup · Cancel any time
Create Free Account

Your Dashboard

No credit card needed